developing secure applications martin knobloch

Post on 28-Jun-2015

1.706 Views

Category:

Business

4 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Developing Secure Applications

Martin Knobloch Sogeti Nederland B.V. Design and Software Architecture

www.OWASP.org

Developing Secure Applications! PHP Business Seminar

• Security Requirements?

• Security Awareness!

• Application Security?

• Secure Development Process!

• Stay Secure?

• Summary, Questions And Discussion

Developing Secure Applications! PHP Business Seminar

Proactive Security Strategy: •  To make application security a standard

subject of application development > By making all roles inside an application

development process aware about the possibilities and threats.

•  Supplying education, standards, tooling, protocols and best practices to optimise Secure Development Process

•  Technologies > Functional Design / Information Analysis > Design & Software Architecture > Java > Oracle

> CMS/Portals > PHP

> Cobol / Uniface > Test

Developing Secure Applications! PHP Business Seminar

Open Web Application Security Project:

• World Wide Open Source Community!

• Dedicated to finding and fighting the causes of insecure software.

•  Tools > WebGoat Project > WebScarab Project >  ...

•  Documentation > Top Ten Project > Guide Project > AppSec FAQ Project > Testing Guide Project > PHP Project >  ...

Developing Secure Applications! PHP Business Seminar

• Security Requirements?

• Security Awareness!

• Application Security?

• Secure Development Process!

• Stay Secure!

• Summary, Questions And Discussion

Developing Secure Applications! PHP Business Seminar

Developing Secure Applications! PHP Business Seminar

User requirements

Business requirements

System requirements

F

u

n

c

t

i

o

n

a

l

Non

f

u

n

c

t

i

o

n

a

l

Business rules

Externe interfaces

Constraints

‘Why’

‘What’

‘How’ ‘Who?’

Developing Secure Applications! PHP Business Seminar

• Security Requirements?

• Security Awareness!

• Application Security?

• Secure Development Process!

• Stay Secure?

• Summary, Questions And Discussion

Developing Secure Applications! PHP Business Seminar

The environments in where the software applications run where closed.

•  By this, the applications could be developed ‘open’.

Developing Secure Applications! PHP Business Seminar

The environments became more open over time.

The environments in where the software applications run where closed.

•  By this, the applications could be developed ‘open’.

Developing Secure Applications! PHP Business Seminar

The environments became more open over time.

•  Which means, the applications have to become more closed.

The environments in where the software applications run where closed.

•  By this, the applications could be developed ‘open’.

Developing Secure Applications! PHP Business Seminar

The Problems: • Cookies, HTTP authentication, SSL.. • Low learning curve • Easy to attack (web) applications

Developing Secure Applications! PHP Business Seminar

Consciously! • Cracker • Hacker • Scriptkiddie

Risk =( )*Value Threats * Vulnerabilities Countermeasures

Unconsciously! • User • System • Environment

Developing Secure Applications! PHP Business Seminar

• Security Requirements?

• Security Awareness!

• Application Security?

• Secure Development Process!

• Stay Secure?

• Summary, Questions And Discussion

Developing Secure Applications! PHP Business Seminar

Applications are about information!

3 pillars of Information Security:

> Confidentiality

> Integrity

> Availability

Insecure Insecure

Functional

Specification

Technical

Implementation

Developing Secure Applications! PHP Business Seminar

An application is secure if it acts and reacts, as it expected, at any time!

Secure

Developing Secure Applications! PHP Business Seminar

OWASP TOP TEN: 1. Cross Site Scripting 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object References 5. Cross Site Request Forgery 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communication 10. Failure to Restrict URL Access

Developing Secure Applications! PHP Business Seminar

Source: www.mitre.org

de username is ‘Administrator'

en het wachtwoord is ‘TopSecret‘

USERNAME: Administrator PASSWORD: *****

de username is ‘Administrator'

en het wachtwoord is ‘crap‘ of 1=1;

USERNAME: Administrator PASSWORD: ***** of 1=1

Developing Secure Applications! PHP Business Seminar

Example:

Developing Secure Applications! PHP Business Seminar

• Security Requirements?

• Security Awareness!

• Application Security?

• Secure Development Process!

• Stay Secure?

• Summary, Questions And Discussion

PROTOCOLS RULES

STANDARDS BEST PRACTICES

TOOLING

Developing Secure Applications! PHP Business Seminar

EVALUATION FEEDBACK

E X P E R I E N C E

E D U C A T I O N

Developing Secure Applications! PHP Business Seminar

• Security Requirements?

• Security Awareness!

• Application Security?

• Secure Development Process!

• Stay Secure?

• Summary, Questions And Discussion

Developing Secure Applications! PHP Business Seminar

Developing Secure Applications! PHP Business Seminar

System Environment

Internet Web Applicatie

Back Office

Database

Firewall Firewall Firewall

DMZ

Private Network Private Network

System User? Systeem rechten?

Error handling? Error handling? Fout afhandeling?

Database Rechten?

User Rights? User Rights? Gebruikers rechten?

Developing Secure Applications! PHP Business Seminar

• Security Requirements?

• Security Awareness!

• Application Security?

• Secure Development Process!

• Stay Secure?

• Summary, Questions And Discussion

Developing Secure Applications! PHP Business Seminar Functional Designers & Architects: > It is not only about what functionality the application has

to supply, it also what it may not!

Engineers: > Quality is not just ‘does it work’ .

Testers: > Security weaknesses are not different from other,

functional, bugs. They can be traced down the same way.

Managers: > Reserve project time for security > Understand security as manditory value of an application

Security Analyst: Involve a security Analyst at the beginning of the design

phase.

Developing Secure Applications! PHP Business Seminar

top related